[
https://issues.apache.org/jira/browse/ZOOKEEPER-4259?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Damien Diederen resolved ZOOKEEPER-4259.
----------------------------------------
Fix Version/s: 3.8.0
Resolution: Fixed
> Allow AdminServer to force https
> --------------------------------
>
> Key: ZOOKEEPER-4259
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4259
> Project: ZooKeeper
> Issue Type: Improvement
> Components: security
> Affects Versions: 3.7.0
> Reporter: Norbert Kalmár
> Assignee: Norbert Kalmár
> Priority: Minor
> Labels: pull-request-available
> Fix For: 3.8.0
>
> Time Spent: 1.5h
> Remaining Estimate: 0h
>
> Since portunification (ZOOKEEPER-3371), AdminServer supports https. But there
> is no way to disable http and allow https only. It is my understanding, that
> to be FLIPS compliant, only https is allowed. This is one reason it is good
> to have such a feature.
> To enable https currently, we need to set these parameters in zoo.cfg:
> {code:java}
> ssl.quorum.keyStore.location=/tmp/zookeeper/keystore.jks
> ssl.quorum.keyStore.password=password
> ssl.quorum.trustStore.location=/tmp/zookeeper/truststore.jks
> ssl.quorum.trustStore.password=password
> admin.portUnification=true
> {code}
> I generated keystore and truststore with the following commands:
> {code:java}
> #create test/dev keystore/truststore (ZK runs only on localhost)
> keytool -genkeypair -alias zk.dev -keyalg RSA -keysize 2048 -dname
> "cn=zk.dev" -keypass password -keystore /tmp/zookeeper/keystore.jks -ext
> san=dns:localhost -storepass password
> keytool -exportcert -alias zk.dev -keystore /tmp/zookeeper/keystore.jks -file
> /tmp/zookeeper/zk.dev.cer -rfc
> keytool -keystore /tmp/zookeeper/truststore.jks -storepass password
> -importcert -alias zk.dev -file /tmp/zookeeper/zk.dev.cer
> #check
> keytool -list -v -keystore /tmp/zookeeper/truststore.jks
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
